Researchers from deusen.co.uk published sample exploit code to demonstrate how to hack dailymail.co.uk — Great Britain’s leading online daily newspaper. A specially formed link takes users to dailymail.co.uk, followed by the message “Hacked by Deusen”.

The experts at Positive Technologies point out that there are several similar exploit examples on the Web that demonstrate the threats this new vulnerability poses to many sites, including those used for critical resources.

For example, check out this simulated attack video, posted on PHDays website.

How to Stop this Threat

You must prohibit third party IFrames using the X-Frame-Options header sent by a web server.

The Apache setting in .htaccess looks like this:

Header always append X-Frame-Options SAMEORIGIN

For nginx:

add_header X-Frame-Options SAMEORIGIN;

For IIS:

If the X-Frame-Options setting is not possible in your environment, you would need to increase the security level of your web application firewall.

It is worth mentioning that as of late zero-day vulnerabilities within infrastructure components, like Shellshock and GHOST, have become more frequently publicized. Google has also added fuel to the fire with its recent disclosure regarding Windows security flaws, despite Microsoft’s requests to become more flexible on the matter. It seems like the mainstream approach “discover – help to fix – publish details” is not in play any more.